If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Hello Guest,Our records indicate that you have never posted to our site before! Why not make your first post today by saying hello to our community in our Introductions forum.

Please review the forums rules, start with your first post today and become an active part of petri.co.il forums now!

Windows Server 2003 r2 user group inheriting admin rights

1st July 2009, 13:32

In our W2K3 AD domain, members of some of the security groups are inheriting administrative rights (to folders) even though their group is not in the administrators group. If I remove the administrator's rights to the folder, the group in question can no longer access the folder. I have checked security on the folder in Windows Explorer - Security and by using CACLS and nothing looks untoward. Can AD Security Groups be granted membership of e.g. admin group using GPs? I am at a loss as to what is going wrong here but, for obvious reasons, I need to fix it fast.
Any help much appreciated.
MP

Comment

As the folder structure is on one of the AD DCs, there are no local groups and I have checked the domain groups for any anomolies and found none. That said, it appears that it is only one of the security groups that has these rights and, as Group Policies are in use, I do suspect that there may be an issue within GP but I am unaware of how these rights can be assigned by groups policies.

Comment

I see. Lock down the share permisisons to better ensure a restricted access. Furthermore, look at the advanced permissions of NTFS. You can the select a Group and click Edit to have a more granular view.

With regards to Group Policy, you'll have to look at the policies applying and look at the summary in GPMC.

Comment

Thanks for your input. I have resolved the issue. For some reason, a predecessor had seen fit to set up a logon script that mapped a shared drive with the administrator's username and password. Most odd.